[Samba] Duplicate ObjectSid values
Andrew Bartlett
abartlet at samba.org
Tue May 17 19:07:03 UTC 2016
On Tue, 2016-05-17 at 12:11 +0100, ash-samba at comtek.co.uk wrote:
> > G'Day,
> >
> > This is a serious situation. What it means is that the nextRid
> > value for that DC points at a user account that already exists, so
> > when we go to create it, the create fails.
> I've just looked at the LDAP output, and nextRid is 1000 for both dn:
> CN=Builtin,DC=chester-dc,etc and for dn: DC=chester-dc,etc
>
> The most recent successful new user (that I'm aware of) is objectSid:
> S-1-5-21-2702589905-558746101-3641499263-2825
>
> I can't see any objectSid entries which end in 1000 though. The
> lowest
> one we have is S-1-5-21-2702589905-558746101-3641499263-1101
> > That, and the other issue, suggests you have had some serious DB
> > corruption, and this may not be the only issues. Does a full
> > dbcheck pass? (Not just the reindex).
> dbcheck works on empire.
> > Is there another DC that still works, that you can replicate from?
> > (but you suggested other issues I think).
>
> We can successfully "/usr/bin/samba-tool user add" with alaska (a
> machine located on another continent, with a quite unreliable link!),
> and that gives us an account with
> S-1-5-21-2702589905-558746101-3641499263-7125 on -both- alaska and
> empire, so there is clearly some amount of working replication.
> Confusingly, after doing this nextRid is still 1000 on both machines.
The value you need to look for is in the RID Set, not the domain, which
is a legacy figure we don't use. Sorry for the red herring.
> Creating a new local DC (and decommissioning empire) would be a good
> solution for us. I can add a new DC (v-ward) by specifying
> --server=alaska.chester-dc, and I get no errors in the process. The
> samba process on v-ward isn't working, though. I'm still trying to
> debug
> this (currently it isn't even listening to port 389).
OK. That seems serious.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list